How to handle DMARC failures when email is forwarded by recipients?

Key findings

• Common issue: Forwarded emails frequently fail DMARC checks, particularly those routed through services like Microsoft 365, due to modifications that invalidate SPF and DKIM. SPF is especially vulnerable to forwarding as it relies on the sending IP, which changes during forwarding. You can learn more about how email forwarding affects SPF, DKIM, and DMARC validation.
• Authentication breakdown: Despite originating from properly aligned systems, forwarded messages often show DMARC failures because both SPF and DKIM authentication are broken by the forwarding mechanism.
• Subdomain impact: A subdomain dedicated to alerts might experience higher DMARC failure rates for forwarded mail, even if the primary domain has a strong DMARC pass rate and a reject policy.
• Limited visibility: DMARC reports may indicate failures but often lack granular detail on whether the email was rejected, quarantined, or delivered, making troubleshooting challenging.
• Beyond O365: While Microsoft 365 is a common culprit, other services and cloud-based security appliances, including those on AWS ranges, can also contribute to DMARC failures through improper forwarding.

Key considerations

• No direct control: Senders typically cannot dictate how recipients' email systems handle forwarding, limiting direct technical solutions.
• Policy implications: A DMARC policy of p=reject can lead to legitimate forwarded emails being blocked, causing critical alerts to be missed. Understanding how email forwarding and DMARC policies affect delivery is crucial.
• Recipient outreach: If feasible, educating recipients about adding the sender to their allow-list can mitigate some issues, but this is often impractical for a large, unknown audience.
• Alternative channels: For critical alerts, consider offering alternative notification methods beyond email, such as webhooks, SMS, or direct integrations (e.g., PagerDuty, Signal), to ensure delivery.
• DMARC report analysis: Utilize DMARC reports to identify the sources of failures, even if detailed disposition is missing. Aggregating and analyzing reports can reveal problematic domains or IP ranges. More on why DMARC fails for forwarded emails.

Key opinions

• M365 prevalence: Many marketers observe that Microsoft 365 accounts are frequent sources of DMARC failures due to incorrectly configured forwarding rules.
• Limited control: It is generally acknowledged that senders cannot control or modify how recipients' email systems (including M365) handle email forwarding.
• Reporting challenges: Analyzing DMARC reports manually to identify specific failing recipients or the exact disposition of messages can be extremely difficult. This highlights the importance of tools that diagnose DMARC failures using DMARC reports.
• Allow-listing outreach: Targeted or broadcast outreach to encourage recipients to add the sender to an allow-list is considered a viable, albeit challenging, social solution.
• Alert functionality: When emails are used for critical alerts, the risk of DMARC failures means these alerts may not reach their intended recipients, impacting system monitoring or operational efficiency.

Key considerations

• Policy adjustment: Given uncontrollable forwarding behavior, some marketers may opt for a less stringent DMARC policy, such as p=quarantine instead of p=reject, to avoid blocking important forwarded messages.
• Identify problem domains: Even without direct control, analyzing DMARC reports can help identify specific recipient domains or IP ranges that consistently cause failures, allowing for more targeted communication if possible.
• Non-marketing context: It is important to remember that DMARC failures due to forwarding can affect transactional or alert emails, not just marketing messages, complicating the resolution approach.
• Alternative notification systems: For critical information, integrating non-email based alert systems can provide a reliable fallback when email forwarding is problematic.
• Rogue reports: Consider the possibility that some DMARC failure reports might be generated by recipient-side appliances that ignore authentication errors, yet still send reports, leading to misleading data. This is a common reason DMARC fails.

Key opinions

• Authentication decay: Experts confirm that traditional forwarding mechanisms often break SPF and can invalidate DKIM signatures if headers are altered, leading to DMARC failure. This issue is a fundamental aspect of email authentication.
• ARC's role: Authenticated Received Chain (ARC) is designed to preserve authentication results across forwarding hops. While not universally adopted, it is seen as the primary technical solution to DMARC failures with forwarded mail. Learn more about how to implement ARC.
• DKIM importance: Strong and persistent DKIM signing is crucial, as it is more resilient to forwarding than SPF. Ensuring a valid DKIM signature that survives forwarding can help maintain DMARC alignment.
• Policy choice: Experts often advise caution with a p=reject policy in scenarios with significant legitimate forwarding, suggesting p=quarantine or p=none while investigating. Consider how to roll out DMARC enforcement carefully.

Key considerations

• Sender responsibility: Even with forwarding challenges, senders are responsible for ensuring their initial authentication is impeccable, providing the best possible foundation for deliverability.
• DMARC monitoring: Continuous monitoring of DMARC reports is vital for identifying patterns of failure and understanding which forwarding networks are most problematic. For more, see email forwarding impacts on DMARC.
• Policy adjustment: For sensitive or critical communications, a DMARC policy that allows for greater tolerance of forwarding, like p=none, might be necessary to ensure delivery, even if it compromises strict enforcement against spoofing.
• Education and advocacy: While challenging, advocating for recipient-side adoption of ARC or proper forwarding configurations remains a long-term goal for the industry.

Key findings

• SPF invalidation: Documentation confirms that when an email is forwarded, the IP address changes, causing SPF authentication to fail because the new sending IP is not authorized in the original sender's SPF record.
• DKIM fragility: While DKIM is more robust, forwarding services can sometimes modify email headers or body content, breaking the DKIM signature and leading to DMARC failure.
• DMARC alignment: DMARC requires either SPF or DKIM to pass AND align with the From domain. Forwarding disrupts this alignment, leading to DMARC failures.
• ARC as a solution: Authenticated Received Chain (ARC) is a protocol designed to preserve original email authentication results (SPF, DKIM, DMARC) across forwarding hops, allowing receiving mail servers to validate the legitimacy of forwarded messages. This is part of an advanced guide to email authentication.

Key considerations

• DKIM signing: Documentation often emphasizes the importance of DKIM signing all outgoing emails with the sender's domain, as DKIM is more resilient to changes introduced by forwarding than SPF.
• Policy enforcement: DMARC policies (p=none, p=quarantine, p=reject) must be carefully chosen, considering the impact on legitimate forwarded emails. A more lenient policy might be necessary if critical forwarded mail is affected. For examples, see simple DMARC policy examples.
• DMARC reporting: Regularly reviewing DMARC reports (aggregate and forensic) is essential to identify the scale and source of forwarding-related failures and to refine policies. Common pitfalls in DMARC configuration often include ignoring these reports.
• PostSRSd: Some technical documentation mentions solutions like PostSRSd for re-signing DKIM headers for forwarded mail, but this requires control over the forwarding mail server, which is typically not held by the original sender.